CURRENT MONTH (May 2019)

Cybersecurity

Georgia Supreme Court Finds State Has No Duty to Protect Personal Information

According to the highest court in the state, Georgia state government does not have an inherent obligation to protect citizens’ personal or sensitive data like social security numbers or status on the unemployment rolls. This decision was taken without consideration of damage to the plaintiff citizens whose data was negligently distributed.

On May 20, 2019, the Georgia Supreme Court issued its opinion in Georgia Dept. of Labor v. McConnell, a landscape-changing privacy decision that, in the absence of a special relationship, rids Georgia governmental entities of the general duty to safeguard personal information given to them.

This case arose because the Georgia Department of Labor (the “Department”) created a spreadsheet containing the name, social security number, home telephone number, e-mail address, and age of 4,757 individuals who applied for unemployment benefits and other services administered by the Department. The Department mistakenly sent that spreadsheet to 1,000 recipients without the individuals’ permission. The affected individuals (the “Plaintiffs”) brought suit, alleging the Department breached its duty to protect their information.

The Court rejected Plaintiffs’ argument that the Department owed a common law duty to Plaintiffs “not to subject them to an unreasonable risk of harm.” The Court also rejected Plaintiffs’ assertion that the Department employees, as public officers, breached their fiduciary duty under the Georgia Constitution to protect the information. Lastly, the Court rejected Plaintiff’s’ argument that a fiduciary relationship existed between Plaintiffs and the Department. According to the Court, the exchange of information for services is commonplace and insufficient to show a special relationship of trust or mutual confidence between the parties.

Now, entities must be careful when contracting with Georgia governmental entities if sharing personal information. Companies should also consider contractual protections addressing exchanges of personal information going to the government and mandate that information is kept according to certain information security practices.

Network Security: A ‘National Emergency’

By Danielle Rheaume, Villanova University Charles Widger School of Law

President Donald Trump declared foreign intrusions against United States information and communications technology and services a national emergency, citing the potential of foreign adversaries to create and exploit vulnerabilities within the networks. To address this threat, President Trump issued an executive order that will set up additional protections against potential malicious cyber-enabled actions. The order’s sweeping language bars U.S. companies from acquiring, importing, transferring, dealing in, or using any information and communications technology or service “where the transaction involves any property in which any foreign country or a national thereof has any interest,” if the U.S. Department of Commerce deems the action to be a threat to national security. In addition, the order gives broad authority to the Secretary of Commerce in implementing further regulations and compliance mandates onto U.S. businesses in regard to these transactions.

Data Privacy

New Jersey Amends Data Breach Notification Law

By Andrew Kim, University of Virginia School of Law

New Jersey has amended P.L.2005, c.226 to strengthen its data breach notification law. Prior to this amendment, the law required entities to disclose breaches involving only: 1) an individual’s Social Security number; 2) driver’s license number or state identification card number; or 3) account number, credit card number, or debit card number, in combination with any security code which would give access to an individual’s financial account. Pursuant to this amendment, however, entities must now also disclose breaches concerning online account information. Such information includes an individual’s user name, email address, or any other identifying information in combination with any password or security question and answer which would give access to an online account. Entities may notify individuals about the breach of their online information through electronic means. However, if the individual’s email itself has been breached, the entity may not provide notification of such breach through this email account. Instead, the entity must alert the individual through other means that would give clear notice to the individual.

Like many employers, Southwest uses an intranet site to distribute employment policies to its employees. When new policies or updates to existing policies are distributed, Southwest places an announcement on the main page of the site. The announcement provides employees with electronic links to the written policies and instructs them to “Check the Box” “to acknowledge they have received, read and reviewed the policies and that they understand and agree to comply with them.” The announcement appears on the main page of the site until the employee electronically checks the box.

A Southwest Airlines field instructor brought a wage-hour class action suit, alleging that she and other similarly situated employees were improperly classified as exempt employees. After Southwest moved to compel arbitration, the employee challenged the validity of the agreement to arbitrate on two fronts: (1) that Southwest could not prove that she was the one who checked the box, and (2) that if she did consent to arbitration, her consent was invalid because the agreement terms were inconspicuous.

With respect to the first argument, the court found that the employee did not deny she checked the box, and that the undisputed evidence showed that someone using the employee’s unique user name and password logged into the employee’s account and checked the box.

The court also found that the language regarding arbitration was not inconspicuous. The announcement on the main page consisted of four paragraphs, the second of which was titled “Alternative Dispute Resolution Program,” and contained a hyperlink to the entire program. The court also found that, simply because the employee may not have clicked the hyperlink to read the policy language (and was not required to), the existence of the arbitration agreement was not unclear or hidden.

International Law

Polish Data Authority Issues First GDPR Fine

By Valerie Surgenor, MacRoberts LLP

April 2019 saw the Polish Data Protection Supervisory authority issue its first fine under the new GDPR rules. It issued a 200,000 Euro fine in the context of direct marketing where the controller was processing publicly available personal data but were not complying with the information obligations under Art 14 (1 to 3) of the GDPR. The decision should be of both interest and concern to those operating in the direct marketing space utilising publicly available information and further demonstrates the requirement to comply with the founding principles of accountability and transparency, particularly in the context of consent and the data subject’s control of their personal data. Where the information obligations are not met, the data subject is unlikely to know who is processing their data and ultimately means the data subject will not be able to exercise their rights under the GDPR.

Digital Currency

On May 9, 2019, the Financial Crimes Enforcement Network (FinCEN) issued additional guidance regarding the application of its money services businesses (MSB) regulations to virtual currency activities. FinCEN explicitly states that the document does not establish any new regulatory requirements but merely consolidates prior guidance. FinCEN reiterates that its regulations on money transmission cover not just the transfer of currency but other value that substitutes for currency and thus can encompass certain virtual currency activities. FinCEN then discusses a number of business models – including wallets, crypto ATMS, peer-to-peer exchanges and decentralized apps – and analyzes when the MSB regulations might apply.

The Federal Election Commission recently issued an advisory opinion in response to a request by OsiaNetwork (“Osia”), a company that plans to enable individuals to pool their computer processing power to mine cryptocurrencies for the benefit of political committees of the miners’ choosing. In that opinion, the FEC examined whether either Osia or the miners activities constituted “contributions” under the Federal Election Campaign Act. The FEC concluded that Osia’s activities are not contributions because Osia plans to charge the political committees a “usual and normal charge” for the processing services it provides. However, it then concluded that the miners activities are contributions, finding that pooling hash power to mine cryptocurrencies does not fall within the exception available to individuals who provide “uncompensated internet activities,” which generally includes things like sending or forwarding emails, blogging, and maintaining campaign websites. The contribution will equal the value in U.S. Dollars of the cryptocurrency mined.

Osia, even though it will not be making contributions, will take on compliance obligations. As a vendor forwarding contributions to political committees, they must report to the political committee treasurer certain information related to the contributors as required by election regulations. And while not required, the FEC advised Osia to provide information to the miners, allowing them to track their contributions to a given political committee so the miners may comply with contribution limits.